Changeset 37646
- Timestamp:
- 06/06/2016 09:33:30 PM (8 years ago)
- Location:
- trunk
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/wp-includes/functions.php
r37543 r37646 3106 3106 3107 3107 /** 3108 * Check that a JSONP callback is a valid JavaScript callback. 3109 * 3110 * Only allows alphanumeric characters and the dot character in callback 3111 * function names. This helps to mitigate XSS attacks caused by directly 3112 * outputting user input. 3113 * 3114 * @since 4.6.0 3115 * 3116 * @param string $callback Supplied JSONP callback function. 3117 * @return bool True if valid callback, otherwise false. 3118 */ 3119 function wp_check_jsonp_callback( $callback ) { 3120 if ( ! is_string( $callback ) ) { 3121 return false; 3122 } 3123 3124 $jsonp_callback = preg_replace( '/[^\w\.]/', '', $callback, -1, $illegal_char_count ); 3125 3126 return 0 === $illegal_char_count; 3127 } 3128 3129 /** 3108 3130 * Retrieve the WordPress home page URL. 3109 3131 * -
trunk/src/wp-includes/rest-api/class-wp-rest-server.php
r37490 r37646 281 281 } 282 282 283 // Check for invalid characters (only alphanumeric allowed). 284 if ( is_string( $_GET['_jsonp'] ) ) { 285 $jsonp_callback = preg_replace( '/[^\w\.]/', '', wp_unslash( $_GET['_jsonp'] ), -1, $illegal_char_count ); 286 if ( 0 !== $illegal_char_count ) { 287 $jsonp_callback = null; 288 } 289 } 290 if ( null === $jsonp_callback ) { 283 $jsonp_callback = $_GET['_jsonp']; 284 if ( ! wp_check_jsonp_callback( $jsonp_callback ) ) { 291 285 echo $this->json_error( 'rest_callback_invalid', __( 'The JSONP callback function is invalid.' ), 400 ); 292 286 return false; -
trunk/tests/phpunit/tests/rest-api.php
r36831 r37646 323 323 } 324 324 325 public function jsonp_callback_provider() { 326 return array( 327 // Standard names 328 array( 'Springfield', true ), 329 array( 'shelby.ville', true ), 330 array( 'cypress_creek', true ), 331 array( 'KampKrusty1', true ), 332 333 // Invalid names 334 array( 'ogden-ville', false ), 335 array( 'north haverbrook', false ), 336 array( "Terror['Lake']", false ), 337 array( 'Cape[Feare]', false ), 338 array( '"NewHorrorfield"', false ), 339 array( 'Scream\\ville', false ), 340 ); 341 } 342 343 /** 344 * @dataProvider jsonp_callback_provider 345 */ 346 public function test_jsonp_callback_check( $callback, $valid ) { 347 $this->assertEquals( $valid, wp_check_jsonp_callback( $callback ) ); 348 } 349 325 350 }
Note: See TracChangeset
for help on using the changeset viewer.